All Apps and Add-ons

Effective_user in USER_TTY appears as unkown

agustinac
New Member

The field effective_user in USER_TTY appears as "unknown" when I believe it should indicate that it is root. In the posix_identities.csv the entry (0, root) is not created. I try to create it manually buy it keeps updating.
It is necessary to update the lookup in splunk web (setting-lookups-automatic lookups) and add the entry of root? if that is the case, how it is done?

Can anyone help me?

Thanks in advance!

0 Karma
1 Solution

doksu
SplunkTrust
SplunkTrust

The posix_identities lookup shouldn't be manually modified, as it's automatically and periodically updated by a scheduled search that merges the directory_posix_identities and local_posix_identities lookups. The correct place to add the 0,root entry is in the local_posix_identities lookup. Please see the documentation for more information: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration

View solution in original post

0 Karma

doksu
SplunkTrust
SplunkTrust

The posix_identities lookup shouldn't be manually modified, as it's automatically and periodically updated by a scheduled search that merges the directory_posix_identities and local_posix_identities lookups. The correct place to add the 0,root entry is in the local_posix_identities lookup. Please see the documentation for more information: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration

View solution in original post

0 Karma

agustinac
New Member

doksu, thanks for your answer.
I do not understand one thing; the /etc/passwd in my splunk (Windows 2012r2) has the users of the splunk web, not the users of the linux server (the one that it is sending the logs to my Splunk).
I run the command in the Linux, but that does not replicate in the app in the Splunk.
I have to copy the file from my Linux to the server that it is running the Splunk? or create the file manually?

thanks again.

0 Karma

doksu
SplunkTrust
SplunkTrust

agustinac, the awk command in the documentation points at /etc/passwd on Linux, not $SPLUNK_HOME/etc/passwd

The method you use to produce the local_posix_identities lookup on the Splunk search head doesn't matter. If your search head is a Windows machine you won't be able to use the awk command provided in the documentation and will need to find another Linux machine in your fleet from which to produce the csv then copy to the search head. If you need assistance with this process, please ask your local Splunk Sales Engineer who can assist with the process in person.

I strongly recommend you don't use Windows for Splunk (or other big data) servers, please see: https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html

0 Karma

agustinac
New Member

dosku, thanks very much! that is exactly what I did. Now the user_tty view its working just fine, and the posix_identities csv file has updated with the value 0,root from de local posix identities file.
Also thanks for you advice on using a Linux instead of a Win for de indexer, I will have that in mind.
regards!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!